ProFTPD before 1.3.5rc1, when using the UserOwner directive, allows local users to modify the ownership of arbitrary files via a race condition and a symlink attack on the (1) MKD or (2) XMKD commands.

The remote Solaris system is missing necessary patches to address security updates :

  - ProFTPD before 1.3.5rc1, when using the UserOwner     directive, allows local users to modify the ownership of     arbitrary files via a race condition and a symlink     attack on the (1) MKD or (2) XMKD commands.
    (CVE-2012-6095)

The remote host is affected by the vulnerability described in GLSA-201309-15 (ProFTPD: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in ProFTPD. Please review       the CVE identifiers referenced below for details.
  Impact :

    A context-dependent attacker could possibly execute arbitrary code with       the privileges of the process, perform man-in-the-middle attacks to spoof       arbitrary SSL servers, cause a Denial of Service condition, or read and       modify arbitrary files.
  Workaround :

    There is no known workaround at this time.

The remote host is using ProFTPD, a free FTP server for Unix and Linux. According to its banner, the version of ProFTPD installed on the remote host earlier than 1.3.4c.  As such, it is potentially affected by a race condition error that does not securely create temporary files related to symlinks and newly created directories.  A local, attacker could leverage this issue to overwrite arbitrary files and elevate privileges. 

Note that Nessus did not actually test for the flaw but has instead relied on the version in ProFTPD's banner.

A vulnerability has been found and corrected in proftpd :

ProFTPD before 1.3.5rc1, when using the UserOwner directive, allows local users to modify the ownership of arbitrary files via a race condition and a symlink attack on the (1) MKD or (2) XMKD commands (CVE-2012-6095).

The updated packages have been patched to correct thies issue.

Jann Horn reported that there is a possible race condition in the handling of the MKD/XMKD FTP commands, when the UserOwner directive is involved, and the attacker is on the same physical machine as a running proftpd. This race applies to mod_sftp and the handling of the MKDIR SFTP request as well.

Note that using the DefaultRoot directive to restrict sessions mitigates this attack, since the symlinks created by the local attacker will point outside of the chroot(2) area within the FTP session, and thus the ownership change will fail. The default configuration in Fedora applies the DefaultRoot directive to all users except 'adm'.

The upstream reference for this issue is:
http://bugs.proftpd.org/show_bug.cgi?id=3841

This update includes upstream's backport to proftpd 1.3.4 of the fix for this issue.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It has been discovered that in ProFTPd, an FTP server, an attacker on the same physical host as the server may be able to perform a symlink attack allowing to elevate privileges in some configurations.

ID	Name	Product	Family	Severity
80743	Oracle Solaris Third-Party Patch Update : proftpd (cve_2012_6095_race_conditions)	Nessus	Solaris Local Security Checks	low
70111	GLSA-201309-15 : ProFTPD: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
66970	ProFTPD FTP Command Handling Symlink Arbitrary File Overwrite	Nessus	FTP	low
66067	Mandriva Linux Security Advisory : proftpd (MDVSA-2013:053)	Nessus	Mandriva Local Security Checks	low
64367	Fedora 17 : proftpd-1.3.4b-5.fc17 (2013-0483)	Nessus	Fedora Local Security Checks	low
64366	Fedora 16 : proftpd-1.3.4b-5.fc16 (2013-0468)	Nessus	Fedora Local Security Checks	low
64365	Fedora 18 : proftpd-1.3.4b-5.fc18 (2013-0437)	Nessus	Fedora Local Security Checks	low
63512	Debian DSA-2606-1 : proftpd-dfsg - symlink race	Nessus	Debian Local Security Checks	low

Detections

Analytics

CVE-2012-6095

high

Tenable Plugins

low

critical

low

low

low

low

low

low